WorkOS Docs Homepage
AuthKit
API referenceDashboardSign In

Connect

Enable other applications to access users and their identities.

Connect is a set of controls and APIs for allowing other applications to access your users’ identity and resources. Unlike AuthKit’s other features that help users sign into your application, Connect enables other applications to authenticate and access users’ data through secure, managed APIs.

Built on OAuth 2.0 and OpenID Connect, Connect supports common integration patterns out of the box.

Common use-cases

Customer applications
Customers can build custom integrations with the platform. This can include adding a “Sign in with [the app]” button on their login page.
Auxiliary applications
Secondary applications that support the primary application, such as support tools or discussion forums, can authenticate using the same user identities in AuthKit.
Partner integrations
Credentials can be issued for trusted partners to authenticate with when calling the application’s API.

Getting started

Each Connect integration is defined as an Application, which can be created inside the WorkOS Dashboard.

When creating an application, the first step is to choose the type of integration: OAuth or Machine-to-Machine (M2M).

OAuth applications

OAuth is the appropriate choice when building web or mobile applications where the actor being authenticated is a User. Integrating with an OAuth application uses the underlying authorization_code OAuth flow, which is supported by many libraries and frameworks out of the box.

Upon successful authorization, the issued tokens contain information about the user who signed in.

Learn more about OAuth applications →

M2M applications

M2M is the appropriate choice when the application is a third-party service, such as one of a customer’s applications. Integrating with an M2M application uses the underlying client_credentials flow.

Unlike OAuth applications, the actor being authenticated is not an individual user. Instead, issued access tokens contain an org_id claim representing the customer being granted access via the M2M application.

The M2M application uses its client_id and client_secret to authenticate requests to the application’s API or services.

Learn more about M2M applications →

Concepts

All Connect applications share the following concepts:

Participants

When using Connect, there are several actors involved with the integration of each Application:

  • Relying Party: The application that receives Connect-issued tokens and identity information. It may also use the access token to make requests to the resource server’s API.
  • Resource server: The service (generally the developer’s application) that allows other clients to authenticate using the Connect-issued tokens.
  • Authorization server: This is Connect, the issuer of identity and access tokens to requesting clients after authenticating the user.

Credentials

Applications can have up to 5 credentials. These are only shown once upon creation and do not expire. The application client_id and client_secret from a credential can be used to authenticate to the Connect APIs.

When sharing app credentials with an external party, a secure method should be used – such as encrypted email or file sharing – and the recipient should be properly authenticated.

OAuth ApplicationsIntegrate OAuth applications with WorkOS Connect for web and mobile authentication
Up next